Segfault on lookups with wildcards

Segfault on lookups with wildcards

[Leonardo Chiquitto]

[-- Attachment #1: Type: text/plain, Size: 2589 bytes --]

Hello,

There is a problem in AutoFS (5.0.5 plus all patches released so far)
related to negative caching of keys that start with an '*'.

How to reproduce:

# cat /etc/auto.master
/nfs	/etc/auto.nfs

# cat /etc/auto.nfs
*	-ro,hard,intr,nolock 10.1.1.4:/export/&

# stat '/nfs/*foo'

Automount will segfault (please see logs attached) in lookup_mount()
(lookup_file.c:1075):

1074				me = cache_lookup_distinct(mc, key);
1075				me->status = now + ap->negative_timeout;

(gdb) print me
$1 = (struct mapent *) 0x0

Here's the call trace for reference:

#0  0x00007fc74e22c423 in lookup_mount (ap=<value optimized out>,
name=<value optimized out>, name_len=<value optimized out>,
context=<value optimized out>)
    at lookup_file.c:1075
#1  0x00007fc74fdbd065 in lookup_name_file_source_instance
(ap=0x7fc74ffffc00, map=0x7fc74ffffd10, name=0x7fc74fd60ea0 "*foo",
name_len=4) at lookup.c:707
#2  0x00007fc74fdbd958 in lookup_nss_mount (ap=0x7fc74ffffc00,
source=0x0, name=0x7fc74fd60ea0 "*foo", name_len=4) at lookup.c:894
#3  0x00007fc74fdb3d76 in do_mount_indirect (arg=0x7fc74ffffc00) at
indirect.c:813
#4  0x00007fc74f416a3f in start_thread (arg=0x7fc74fd63710) at
pthread_create.c:297
#5  0x00007fc74f180ecd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6  0x0000000000000000 in ?? ()

If I understand correctly, the code assumes that "me" will never be
NULL because cache_update() was called a couple of lines above to insert
the key into the cache.

The problem is that cache_update() won't add the key into the cache
if it starts with an '*', as we can see in lib/cache.c:1067:

	me = cache_lookup(mc, key);
	while (me && me->source != ms)
		me = cache_lookup_key_next(me);
	if (!me || (*me->key == '*' && *key != '*')) {	<===
		ret = cache_add(mc, ms, key, mapent, age);

I verified that a patch like this will fix the problem:

Index: autofs-5.0.5/lib/cache.c
===================================================================
--- autofs-5.0.5.orig/lib/cache.c
+++ autofs-5.0.5/lib/cache.c
@@ -719,7 +719,7 @@ int cache_update(struct mapent_cache *mc
 	me = cache_lookup(mc, key);
 	while (me && me->source != ms)
 		me = cache_lookup_key_next(me);
-	if (!me || (*me->key == '*' && *key != '*')) {
+	if (!me || (*me->key == '*' && (strcmp(key, "*") != 0))) {
 		ret = cache_add(mc, ms, key, mapent, age);
 		if (!ret) {
 			debug(logopt, "failed for %s", key);


However, I'm not sure if it is correct. The test "*key == '*'" appears
in other functions, so I was wondering if it's a good idea to add keys
with wildcards into the cache after all.

Thanks!
Leonardo

[-- Attachment #2: log-autofs.txt --]
[-- Type: text/plain, Size: 3186 bytes --]

Mar  4 17:40:37 n30 automount[18528]: Starting automounter version 5.0.5, master map auto.master
Mar  4 17:40:37 n30 automount[18528]: using kernel protocol version 5.01
Mar  4 17:40:37 n30 automount[18528]: lookup_nss_read_master: reading master files auto.master
Mar  4 17:40:37 n30 automount[18528]: parse_init: parse(sun): init gathered global options: (null)
Mar  4 17:40:37 n30 automount[18528]: lookup_read_master: lookup(file): read entry /nfs
Mar  4 17:40:37 n30 automount[18528]: master_do_mount: mounting /nfs
Mar  4 17:40:37 n30 automount[18528]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-nfs
Mar  4 17:40:37 n30 automount[18528]: lookup_nss_read_map: reading map file /etc/auto.nfs
Mar  4 17:40:37 n30 automount[18528]: parse_init: parse(sun): init gathered global options: (null)
Mar  4 17:40:37 n30 automount[18528]: remount_active_mount: trying to re-connect to mount /nfs
Mar  4 17:40:37 n30 automount[18528]: mounted indirect on /nfs with timeout 600, freq 150 seconds
Mar  4 17:40:37 n30 automount[18528]: remount_active_mount: re-connected to mount /nfs
Mar  4 17:40:37 n30 automount[18528]: st_ready: st_ready(): state = 0 path /nfs
Mar  4 17:40:37 n30 automount[18528]: ghosting enabled
Mar  4 17:41:02 n30 automount[18528]: handle_packet: type = 3
Mar  4 17:41:02 n30 automount[18528]: handle_packet_missing_indirect: token 77, name *foo, request pid 18539
Mar  4 17:41:02 n30 automount[18528]: attempting to mount entry /nfs/*foo
Mar  4 17:41:02 n30 automount[18528]: lookup_mount: lookup(file): looking up *foo
Mar  4 17:41:02 n30 automount[18528]: lookup_mount: lookup(file): *foo -> -ro,hard,intr,nolock 10.1.1.4:/export/&
Mar  4 17:41:02 n30 automount[18528]: parse_mount: parse(sun): expanded entry: -ro,hard,intr,nolock 10.1.1.4:/export/*foo
Mar  4 17:41:02 n30 automount[18528]: parse_mount: parse(sun): gathered options: ro,hard,intr,nolock
Mar  4 17:41:02 n30 automount[18528]: parse_mount: parse(sun): dequote("10.1.1.4:/export/*foo") -> 10.1.1.4:/export/*foo
Mar  4 17:41:02 n30 automount[18528]: parse_mount: parse(sun): core of entry: options=ro,hard,intr,nolock, loc=10.1.1.4:/export/*foo
Mar  4 17:41:02 n30 automount[18528]: sun_mount: parse(sun): mounting root /nfs, mountpoint *foo, what 10.1.1.4:/export/*foo, fstype nfs, options ro,hard,intr,nolock
Mar  4 17:41:02 n30 automount[18528]: mount_mount: mount(nfs): root=/nfs name=*foo what=10.1.1.4:/export/*foo, fstype=nfs, options=ro,hard,intr,nolock
Mar  4 17:41:02 n30 automount[18528]: mount_mount: mount(nfs): nfs options="ro,hard,intr,nolock", nosymlink=0, ro=1
Mar  4 17:41:02 n30 automount[18528]: mount_mount: mount(nfs): calling mkdir_path /nfs/*foo
Mar  4 17:41:02 n30 automount[18528]: mount_mount: mount(nfs): calling mount -t nfs -s -o ro,hard,intr,nolock 10.1.1.4:/export/*foo /nfs/*foo
Mar  4 17:41:02 n30 automount[18528]: >> mount.nfs: access denied by server while mounting 10.1.1.4:/export/*foo
Mar  4 17:41:02 n30 automount[18528]: mount(nfs): nfs: mount failure 10.1.1.4:/export/*foo on /nfs/*foo
Mar  4 17:41:02 n30 kernel: [37406.116873] automount[18540]: segfault at 98 ip 00007fc74e22c423 sp 00007fc74fd5f830 error 6 in lookup_file.so[7fc74e224000+1c000]

[-- Attachment #3: Type: text/plain, Size: 140 bytes --]

_______________________________________________
autofs mailing list
autofs@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/autofs

Re: Segfault on lookups with wildcards

[Ian Kent]

On Thu, 2010-03-04 at 18:23 -0300, Leonardo Chiquitto wrote:
> Hello,
> 
> There is a problem in AutoFS (5.0.5 plus all patches released so far)
> related to negative caching of keys that start with an '*'.


This is quite strange.

This bug has been in the code for years but in the last few days I've
had three reports of the problem and now you've also seen it.

My initial change used a strcmp for both the tests in your patch but I
need to go right through the code and have a look at all the tests
against '*'. I also thought about whether we should add keys with a
wildcard in them but the hassle is dealing keys that have an escaped '*'
in them and dealing with negative requests so we can avoid unnecessary
mount attempts.

> 
> How to reproduce:
> 
> # cat /etc/auto.master
> /nfs	/etc/auto.nfs
> 
> # cat /etc/auto.nfs
> *	-ro,hard,intr,nolock 10.1.1.4:/export/&
> 
> # stat '/nfs/*foo'
> 
> Automount will segfault (please see logs attached) in lookup_mount()
> (lookup_file.c:1075):
> 
> 1074				me = cache_lookup_distinct(mc, key);
> 1075				me->status = now + ap->negative_timeout;
> 
> (gdb) print me
> $1 = (struct mapent *) 0x0
> 
> Here's the call trace for reference:
> 
> #0  0x00007fc74e22c423 in lookup_mount (ap=<value optimized out>,
> name=<value optimized out>, name_len=<value optimized out>,
> context=<value optimized out>)
>     at lookup_file.c:1075
> #1  0x00007fc74fdbd065 in lookup_name_file_source_instance
> (ap=0x7fc74ffffc00, map=0x7fc74ffffd10, name=0x7fc74fd60ea0 "*foo",
> name_len=4) at lookup.c:707
> #2  0x00007fc74fdbd958 in lookup_nss_mount (ap=0x7fc74ffffc00,
> source=0x0, name=0x7fc74fd60ea0 "*foo", name_len=4) at lookup.c:894
> #3  0x00007fc74fdb3d76 in do_mount_indirect (arg=0x7fc74ffffc00) at
> indirect.c:813
> #4  0x00007fc74f416a3f in start_thread (arg=0x7fc74fd63710) at
> pthread_create.c:297
> #5  0x00007fc74f180ecd in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
> #6  0x0000000000000000 in ?? ()
> 
> If I understand correctly, the code assumes that "me" will never be
> NULL because cache_update() was called a couple of lines above to insert
> the key into the cache.
> 
> The problem is that cache_update() won't add the key into the cache
> if it starts with an '*', as we can see in lib/cache.c:1067:
> 
> 	me = cache_lookup(mc, key);
> 	while (me && me->source != ms)
> 		me = cache_lookup_key_next(me);
> 	if (!me || (*me->key == '*' && *key != '*')) {	<===
> 		ret = cache_add(mc, ms, key, mapent, age);
> 
> I verified that a patch like this will fix the problem:
> 
> Index: autofs-5.0.5/lib/cache.c
> ===================================================================
> --- autofs-5.0.5.orig/lib/cache.c
> +++ autofs-5.0.5/lib/cache.c
> @@ -719,7 +719,7 @@ int cache_update(struct mapent_cache *mc
>  	me = cache_lookup(mc, key);
>  	while (me && me->source != ms)
>  		me = cache_lookup_key_next(me);
> -	if (!me || (*me->key == '*' && *key != '*')) {
> +	if (!me || (*me->key == '*' && (strcmp(key, "*") != 0))) {
>  		ret = cache_add(mc, ms, key, mapent, age);
>  		if (!ret) {
>  			debug(logopt, "failed for %s", key);
> 
> 
> However, I'm not sure if it is correct. The test "*key == '*'" appears
> in other functions, so I was wondering if it's a good idea to add keys
> with wildcards into the cache after all.
> 
> Thanks!
> Leonardo
> _______________________________________________
> autofs mailing list
> autofs@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/autofs